Timothy Murphy wrote:
I've seen pam_shield recommended several times for protecting against malicious login attempts; but I'm not quite clear if this requires one to be already running some pam-based software?
Also, I'm running shorewall, and would prefer a shorewall based protection, but the advice I read on googling for this seemed excessively complicated.
It is my understanding that most, if not all authentication in CentOS (and most of the major linux distributions) is routed through PAM, and thus pam_shield could probably be inserted in the authentication path. Since shorewall is linux based, I would think you could install pam_shield.
Pam shield does sound useful and I intend to deploy on several of my systems. Another alternative. which I find attractive in cases where access is only for the purpose of system management and not for end user access, is fwknop http://cipherdyne.org/fwknop/
With fwknop, you completely block access to your services. Then when you remotely authenticate to fwknopd, it adds iptables rules to open up the ports that you request access to, only from your ip address. fwknopd uses promiscuous mode to sniff the network for udp authentication packets, so a remote attacker has no idea that it is running since there is no listener. Remote users simply don't see the services that are blocked. The fwknop client uses gpg keys for authentication, so if you set your keyrings and timeouts up correctly, you won't have to keep typing a password to reauthenticate.
I have been running fwknop for several years and have found it to be quite solid and reliable. I don't know what shorewall would do about having another application add rules to the iptables chains.
Nataraj